WFE: Windows Forensic Examiner

The IACIS WFE Training Program is a 36-hour course of instruction, offered over five (5) consecutive days. The program is designed to provide students with a detailed study of the Windows Operating System. Through a variety of lectures, instructor-led and independent hands-on practical exercises students will study the Windows operating system in far greater detail, and with far more specificity regarding critical areas of forensic focus, than what can be accomplished in the more generalized, overview perspective of the BCFE Training Program.

In short, this program will focus on how a variety of Windows Operating Systems work “under the hood”, with a focus on the most current/common versions. At the conclusion of this course, students will have a clearer understanding of various operating system artifacts and why they present as they do, and how knowledge of these artifacts can play a significant role in the forensic and investigative process.

The WFE Training Program champions a forensic tool-independent approach to learning. This approach allows for a deeper exploration of the underlying subject matter than might be afforded in other programs which are designed to complete a particular task or view/extract a particular artifact.

The WFE Training Program is designed to build on and expand the students existing forensic knowledge and skillset and is not an entry level class. Prospective students should reference the “Prerequisites” section elsewhere in this document for additional information about expectations for students.

The WFE Training Program will assist students in preparing for their CAWFE certification, however the training program is not taught to the certification, instead, students are recommended to take notes, participate, and make the most of the classroom environment. The material provided to students will be used as part of certification process, however, reading outside of the provided material is advisable and will benefit the student in obtaining a deeper understanding. As an example, the WFE material includes information about Artifact A, but the trainers focus on Artifacts B, C and D. The certification may include questions on Artifacts A and D.

Throughout the week long course topics will include:

  • Virtualization: Concepts, artifacts and practical usage. We explore the various terminology used to describe virtualization and its associated technologies. In this topic, we work through a command line approach to virtualize a suspect forensic image and discuss how to bypass user logon passwords.
  • Partitioning schemes: Understanding MBR and GPT partitioning schemes. We explore these common schemes and parse some of the structures at the hex level. Understanding some of these structures enables the examiner in linking devices to Windows artifacts.
  • File Systems: Overview of the common file-systems with a focus on NTFS and its critical use of metadata files and understanding of their structures.
  • Security Features and Encryption common to the Windows Operating System.
  • Registry: Concepts, structures and artefacts common to the Windows Operating System will be covered during the week including; SOFTWARE, SAM, SYSTEM, NTUSER.dat etc
  • Artifacts & More: We will review the concepts, identification and analysis of many Windows artefacts, such as how to determine application usage, user interactions, event logs, volume shadow copies etc. We also cover some of Microsoft Windows defaults in order to assist an examiner in determining user knowledge when things change from the norm.
  • RAM and virtual memory management concepts. We use command line tools to analyze a RAM image and determine application usage and user interaction.

WHEN:  May 01-05, 2023

COST: $2,495.00 US Dollars

Classroom laptops will be given to the students to take home and keep.


Registration for this course is closed.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, April 30, 2023: 1800 – 2100

             Monday, May 01, 2023: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class promptly the first day.


Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one-hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks). The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.


The course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is 16 miles from the Orlando International Airport, it has a large pool, spacious workout facility and is close to Disney World and Universal Studios.


Due to an unprecedented situation with Caribe Royale, the hotel is completely booked for week one of the 2023 IACIS Training event.   

IACIS is currently working with Orlando Marriott to determine if we can use it as overflow, but at the time of this writing we have no information on what they have available or if they will honor GSA rates. We will update this site as new information become available.

​​NAME​   ​​PHONE​  
Embassy Suites by Hilton Orlando Lake Buena Vista South   1(407)597-4000  
​​Orlando Marriott World Center​    1(407)239-4200  
Gaylord Palms Resort & Convention Center   1(407)586-0000  
​​Walt Disney World Swan​    1(407)934-3000  
Walt Disney World Dolphin Resort   1(407)934-4000  

Also, if you are government employee you may be able to use to find GSA rate lodging in the area.   

Please note: Availability at the Caribe Royale may change as time gets closer to the event so it is recommended that you check with the Caribe Royale often by using booking via this Caribe Royale Hotel link here. As a reminder, if you are not a Caribe Royale Hotel guest and require daily parking on hotel property during the event you will be responsible for all associated parking fees. 

Or book via phone by calling the following numbers: 

Reservations Toll Free: 1-800-823-8300/1-888-258-7501 or our local number 407-238-8000. 


If IACIS is unable to hold their 2023 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2024 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled.  Anyone who paid for training will receive complimentary membership through the year that his/her training takes place.